When to restart Splunk Enterprise after a configuration file change

When you make changes to Splunk Enterprise using the configuration files, you might need to restart Splunk Enterprise for the changes to take effect.

Note: Changes made in Splunk Web are less likely to require restarts. This is because Splunk Web automatically updates the underlying configuration file(s) and notifies the running Splunk instance (splunkd) of the changes.

This topic provides guidelines to help you determine whether to restart after a change. Whether a change requires a restart depends on a number of factors, and this topic does not provide a definitive authority. Always check the configuration file or its reference topic to see whether a particular change requires a restart. For a full list of configuration files and an overview of the area each file covers,
see List of configuration files in this manual.

When to restart forwarders

If you make a configuration file change to a heavy forwarder, you must restart the forwarder, but you do not need to restart the receiving indexer. If the changes are part of a deployed app already configured to restart after changes, then the forwarder restarts automatically.

When to restart splunkweb

You must restart splunkweb to enable or disable SSL for Splunk Web access.

When to restart splunkd

As a general rule, restart splunkd after making the following types of changes.

Changing the time zone in the OS of a Splunk Enterprise instance (Splunk Enterprise retrieves its local time zone from the underlying OS at startup)

Installing some apps may require a restart. Consult the documentation for each app you are installing.

Splunk Enterprise changes that do not require a restart

Search-time processing settings

Settings that apply to search-time processing take effect immediately and do not require a restart. This is because searches run in a separate process that reloads configurations. For example, lookup tables, tags, and event types are re-read for each search.

This includes (but is not limited to) changes to:

Lookup tables

Field extractions

Knowledge objects

Tags

Event types

Files that contain search-time operations include (but are not limited to):

macros.conf

props.conf

transforms.conf

savedsearches.conf (If a change creates an endpoint you must restart.)

To reload your endpoints type the following into your browser:

http://<yoursplunkserver>:8000/en-US/debug/refresh

Index-time settings

Index-time props and transforms do not require restarts, as long as your indexers are receiving the data from forwarders. That is to say:

Changes to props.conf and transforms.conf on an indexer do not require restarts.

In an indexer cluster, changes to props.conf and transforms.conf are automatically reloaded when the peers receive the changes from the master.

On a non-clustered indexer, changes to props.conf and transforms.conf require a reload.

On either a clustered or non-clustered indexer, once the .conf files have reloaded, the changes take effect after a forwarder auto-LB time period.

Workload management settings

How to reload files

To reload transforms.conf:

http://<yoursplunkserver>:8000/en-US/debug/refresh?entity=admin/transforms-lookup
for new lookup file definitions that reside within transforms.conf
http://<yoursplunkserver>:8000/en-US/debug/refresh?entity=admin/transforms-extract
for new field transforms/extractions that reside within transforms.conf

To reload authentication.conf, use Splunk Web. Go to Settings > Access controls > Authentication method and click Reload authentication configuration. This refreshes the authentication caches, but does not disconnect current users.

Use cases

In complex situations, restarting Splunk Enterprise is the safest practice. Here are a few scenarios where you might (or might not) be able to avoid a restart.

Scenario: You edit search- or index-time transforms in props.conf and transforms.conf

Whether to restart depends on whether the change is related to a index-time setting or a search-time setting. Index-time settings include:

line breaking

timestamp parsing

Search-time settings relate mainly to field extraction and creation and do not require a restart. Any index-time changes still require a restart. For example:

1. If props.conf and transforms.conf are configured as search-time transforms on the index, you do not have to restart. For search-time changes, each time you run a search, Splunk software reloads the props.conf and transforms.conf.

2. If the search-time changes are on a heavy forwarder, you must restart that forwarder. (If the changes are part of a deployed app configured to restart after changes, then this happens automatically.)

3. If it is an index-time transform on the indexer, you must restart the indexer.

Scenario: You edit savedsearches.conf and the new search creates a REST endpoint

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »